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A  LOGICAL  PROCESS  CALCULUS 


RANGE  CLEAVELANDt  AND  GERALD  LUTTGEN^ 

Abstract,  This  paper  presents  the  Logical  Process  Calculus  (LPC),  a  formalism  that  supports  hetero¬ 
geneous  system  specifications  containing  both  operational  and  declarative  subspecifications.  Syntactically, 
LPC  extends  Milner’s  Calculus  of  Communicating  Systems  with  operators  from  the  alternation-free  linear¬ 
time  /i-calculus  (LT/i).  Semantically,  LPC  is  equipped  with  a  behavioral  preorder  that  generalizes  Hennessy’s 
and  DeNicola’s  must-testing  preorder  as  well  as  LT/x’s  satisfaction  relation,  while  being  compositional  for 
all  LPC  operators.  From  a  technical  point  of  view,  the  new  calculus  is  distinguished  by  the  inclusion  of 
(i)  both  minimal  and  maximal  fixed-point  operators  and  (ii)  an  unimplementability  predicate  on  process 
terms,  which  tags  inconsistent  specifications.  The  utility  of  LPC  is  demonstrated  by  means  of  an  example 
highlighting  the  benefits  of  heterogeneous  system  specification. 

Key  words,  heterogeneous  specification,  must-testing,  process  algebra,  temporal  logic,  testing  theory 

Subject  classification.  Computer  Science 

1.  Introduction.  Over  the  past  two  decades,  a  wealth  of  approaches  to  formally  specifying  and  rea- 
soning  about  reactive  systems  have  been  introduced.  Most  of  these  may  be  classified  according  to  whether 
they  are  based  on  process  algebra  [3]  or  temporal  logic  [27].  The  process-algebraic  paradigm  is  founded  on 
notions  of  refinement^  where  one  typically  formulates  a  system  specification  and  its  implementation  in  the 
same  notation  and  then  proves  that  the  latter  refines  the  former.  The  underling  semantics  is  usually  given 
operationally,  and  refinement  relations  are  formalized  as  preorders.  In  contrast,  the  temporal-logic  paradigm 
is  based  on  the  use  of  temporal  logics  [27]  to  formulate  specifications,  with  implementations  being  given  in 
an  operational  notation.  One  then  verifies  a  system  by  establishing  that  it  is  a  model  of  its  specification,  in 
the  formal  logical  sense.  The  strength  of  the  former  paradigm  is  its  support  for  compositional  reasoning,  i.e., 
one  may  refine  system  components  independently  of  others.  The  benefit  of  the  latter  paradigm  originates  in 
its  support  for  abstract  specifications,  where  irrelevant  operational  details  may  be  ignored.  Both  approaches 
may  be  given  automated  support  in  the  form  of  model  checking  when  the  considered  systems  are  finite-state. 

The  objective  of  this  paper  is  to  develop  a  compositional  theory  for  heterogeneous  specifications  that 
uniformly  integrates  both  refinement-based  and  temporal-logic  specification  styles,  thereby  allowing  both 
approaches  to  be  taken  advantage  of  when  designing  systems.  Accordingly,  we  present  a  novel  Logical 
Process  Calculus  (LPC)  that  combines  the  algebraic  operators  of  Milner’s  Calculus  of  Communicating  Systems 
(CCS)  [25]  with  the  logical  operators  of  the  Alternation-Free  Linear-Time  fi-Calculus  (LT/i)  [32].  More 
precisely,  we  show  that  logical  disjunction  in  LT/i  may  be  understood  as  internal  choice,  complementing 
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the  external  choice  operator  in  CCS,  and  logical  conjunction  in  LT/i  as  synchronous  parallel  composition, 
complementing  asynchronous  parallel  composition  in  CCS.  Moreover,  Ufi  is  equipped  with  two  recursion 
operators,  a  least  fixed-point  operator  and  a  greatest  fixed-point  operator,  which  allow  for  the  finite  but 
unbounded,  and  the  infinite,  unwinding  of  recursion,  respectively.  The  behavior  described  by  the  greatest 
fixed-point  operator  in  LJfi  thus  corresponds  to  recursion  in  CCS.  In  the  light  of  this  discussion,  LPC  extends 
CCS  by  operators  for  disjunction,  conjunction,  and  minimal  fixed-points,  as  well  as  the  basic  processes  true 
and  false,  and  thereby  allows  for  the  encoding  of  both  LJp  formulas  and  CCS  processes  in  LPC  (cf.  Sec.  2). 

The  semantics  of  LPC  is  based  on  the  testing  approach  of  DeNicola  and  Hennessy  [11].  The  hallmarks  of 
this  theory  are  the  use  of  transitions  to  model  both  processes  and  tests  and  the  differentiation  of  processes 
on  the  basis  of  their  responses  to  tests.  Accordingly,  we  equip  LPC  terms  with  a  transition  relation  defining 
the  single-step  transitions  that  specifications  may  engage  in.  We  also  introduce  a  novel  unimplementabil- 
ity  predicate  on  terms  whose  role  is  to  identify  inconsistent  specifications,  such  as  false,  that  cannot  be 
implemented.  Both  the  transition  relation  and  the  unimplementability  predicate  are  defined  via  structural 
operational  rules,  i.e.,  in  a  syntax-driven  fashion.  We  then  carry  over  the  definitions  of  must-testing  in  [11] 
to  our  setting  and  show  that  the  resulting  behavioral  preorder  (i)  conservatively  extends  the  traditional 
must-preorder  between  CCS  specifications;  (ii)  is  compositional  for  all  operators  in  LPC;  and  (iii)  naturally 
encodes  the  standard  satisfaction  relation  between  CCS  processes  and  LTp  formulas  (cf.  Sec.  3).  Thus,  our 
framework  may  be  seen  to  unify  refinement-based  and  logic-based  approaches  to  system  specification,  while 
facilitating  component-based  reasoning.  Technically,  this  expressiveness  follows  from  the  mathematically 
coherent  inclusion  of  process  and  logical  operators  in  LPC  that  is  enabled  by  our  treatment  of  unimple¬ 
mentability  (cf.  Sec.  4).  Practically,  the  theory  allows  system  modelers  to  freely  intermix  operational  and 
declarative  subspecifications  using  both  system  operators  (e.g.  parallel  composition)  and  logical  constructors 
(e.g.  conjunction).  This  gives  engineers  powerful  tools  to  model  system  components  at  different  levels  of 
abstraction  and  to  impose  declarative  constraints  on  the  execution  behavior  of  components  (cf.  Sec.  5). 

2.  A  Logical  Process  Calculus.  This  section  formally  introduces  our  logical  process  calculus,  LPC. 
We  first  present  its  syntax  and  then  define  its  semantics  via  operational  rules  and  a  novel  unimplementability 
predicate.  Finally,  the  calculus  is  equipped  with  a  refinement  preorder  on  processes,  which  is  an  adaptation 
of  DeNicola  and  Hennessy ’s  must-testing  preorder  [11], 

2.1.  Syntax  of  LPC.  The  syntax  of  LPC  extends  Milner’s  CCS  [25]  with  disjunction,  conjunction,  and 
least  fixed-point  operators.  It  also  includes  a  process  constant  for  the  universal  process  true,  while  false 
will  be  a  derived  process  term  in  our  calculus.  Formally,  let  A  be  a  countable  set  of  actions,  or  ports,  not 
including  the  distinguished  unobservable,  internal  action  r.  With  every  a  E  A  we  associate  a  complementary 
action  a.  We  define  A  :=  {a  |  a  E  A}  and  take  A  to  denote  the  set  A  U  A.  Complementation  is  lifted  to  A 
by  defining  a  :=  a.  As  in  CCS,  an  action  a  communicates  with  its  complement  a  to  produce  the  internal 
action  r.  We  let  a,  6, . . .  range  over  A  and  a, /3, . . .  over  At  '=  AU  {r}.  The  syntax  of  LPC  is  then  defined 
as  follows: 


P  0  i  tt  I  X  I  u;  I  a.P  I  P-hP  I  PVP  I  P|P  I  PAP  I 
P\L  I  P[/]  I  fix.P  I  fikX.P  I  ux.P 

where  fc  E  N,  a:  is  a  variable  taken  from  some  nonempty  set  V  of  variables,  w  is  an  infinite  word  over  A  whose 
inclusion  will  be  discussed  in  the  next  section,  set  L  C  is  a  restriction  set,  and  /  :  Ar  — >  is  a  finite 
relabeling.  A  finite  relabeling  satisfies  the  properties  /(r)  =  r,  /(a)  =  /(«),  and  \{a  \  f{a)  ^  a}\  <  oo.  We 
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define  L  :=  {a\a  £  L}  and  use  the  standard  definitions  for  free  and  bound  variables,  open  and  closed  terms, 
guardedness^  and  contexts.  We  require  for  fixed-point  terms  px.P,  and  ux.P  that  x  is  guarded  in  P. 

Intuitively,  px.P  stands  for  finite  unbounded  unwindings  of  P,  while  /ifcX.P  encodes  finite  unwindings  of  P 
bounded  by  k.  A  term  is  called  alternation-free  if  every  variable  bound  by  a  least  (greatest)  fixed-point  px.P 
(ux-P)  does  not  occur  free  in  a  subterm  uy.Q  {py.Q)  of  P.  We  refer  to  closed,  guarded,  and  alternation-free^ 
terms  as  processes.^  with  the  set  of  all  processes  written  as  V.  Finally,  we  denote  syntactic  equality  by  =. 

While  it  is  obvious  that  LPC  subsumes  all  CCS  processes,  it  is  not  immediately  clear  that  it  also  encodes 
all  Alternation-Free  Linear-Time  /z-Calculus  (LT/i)  formulas  [5]^.  The  syntax  of  VJp  formulas  is  given  by 
the  following  BNF: 


#  ::=  0  I  tt  I  ff  I  X  I  {a)$  |  $  V  $  |  $  A  ^  |  px.^  |  vx.^ 

In  our  setting,  LT/i  formulas  will  be  interpreted  over  infinite  action  sequences  and  also  finite  ones  leading  to 
deadlock.  This  is  why  the  ‘deadlock  formula’  0  is  included  in  LT/z.  In  LPC,  ff  corresponds  to  the  term  pix.r.x 
and  the  next  operator  ‘(a)’,  for  a  €  -4,  to  the  prefix  operator  ‘a.’. 

2.2.  Semantics  of  LPC.  The  operational  semantics  of  an  LPC  process  P  is  given  as  a  labeled  transition 
system  {V,Ar,  — where  V  is  the  set  of  states,  At  the  alphabet,  — y  CVxArxV  the  transition 
relation,  #  C  P  our  unimplementability  predicate  that  is  discussed  below,  and  P  the  start  state. 

The  transition  relation  is  defined  by  the  structural  operational  rules  displayed  in  Table  2.1.  For  conve¬ 
nience,  we  write  P  P'  instead  of  (P,a,P')  G  — >.  Note  that,  for  the  CCS  operators,  the  semantics  is 
exactly  as  in  [25].  As  for  the  other  constructs,  tt  can  nondeterministically  engage  in  any  action  transition, 
or  decide  to  deadlock  (cf.  Rules  (Truel)  and  (True2)).  Process  a.P  may  engage  in  action  a  and  then  behave 
like  P  (cf.  Rule  (Actl)),  and  similarly  the  process  described  by  the  infinite  word  aw  may  engage  in  its  initial 
action  a  and  then  behave  like  w  (cf.  Rule  (Act2)).  The  reason  for  including  process  w  is  to  enable  the  mod¬ 
eling  of  arbitrary  system  environments  within  our  calculus,  including  those  exhibiting  irregular  behavior. 
The  summation  operator  -h  denotes  nondeterministic  external  choice  such  that  P  ^  Q  may  behave  like  P 
or  Q,  depending  on  which  communication  initially  offered  by  P  and  Q  is  accepted  by  the  environment  (cf. 
Rules  (Suml)  and  (Sum2)).  Analogously,  V  encodes  disjunction  or  nondeterministic  internal  choice,  i.e., 
process  P  y  Q  determines  internally,  without  consulting  its  environment,  whether  to  execute  P  or  Q  (cf. 
Rules  (Disl)  and  (Dis2)).  Process  P\Q  stands  for  the  asynchronous  parallel  composition  of  processes  P 
and  Q  according  to  an  interleaving  semantics  with  synchronized  communication  on  complementary  actions, 
resulting  in  the  internal  action  r  (cf.  Rules  (Parl)-(Par3)).  Similarly,  P  A  Q  encodes  the  conjunction  or 
synchronous  parallel  composition  of  P  and  Q,  with  synchronization  on  all  visible  actions  and  interleaving 
on  r  (cf.  Rules  (Conl)-(Con3)).  The  restriction  operator  \L  prohibits  the  execution  of  actions  in  L  U  L 
and,  thus,  permits  the  scoping  of  actions.  Process  P[/]  behaves  exactly  as  P  where  actions  are  renamed 
according  to  the  relabeling  f.  The  remaining  rules  define  the  semantics  of  our  least  and  greatest  fixed-point 
operators.  The  minimal  fixed-point  process  fix.P  first  guesses  some  number  Jfc  €  N  that  determines  how 
often  P  might  be  unwound,  as  encoded  by  the  process  fikX.P  (cf.  Rules  (Mul)  and  (Mu2))^.  Here,  P[Q/x] 
stands  for  the  process  P  with  all  of  its  free  occurrences  of  variable  x  substituted  by  Q.  This  account  of  p 

^The  restriction  to  alternation-free  processes  is  made  for  continuity  reasons  that  are  elaborated  on  later, 

^LT/i  is  more  expressive  that  linear-time  temporal  logic,  so  the  limitation  to  alternation-free  formulas  does  not  impose 
undue  expressiveness  restrictions. 

^The  presence  of  unbounded  internal  choice  in  Rules  (Truel)  and  (Mul)  presents  problems  for  more  denotational  process 
theories;  in  LPC  it  proves  not  to  be  problematic  because  of  our  exclusively  operational  orientation. 
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Table  2.1 

Operational  semantics 


Truel  - = - a  e  A 

tt  — >  a.tt 


Actl 

Suml 

Disl 

Pari 

Coni 

Par3 

Res 

Mul 

Nu 


PWQ^P 

P-^P' 
P\Q  P'\Q 


^ _ 

P' A  Q 


-^P'  Q-^Q' 

P\Q  -4  P'\Q' 


Ci  ^  L  lA  L 


- j -  A;  e  N 

IIX.P  - >  fikX.P 

P[i^x.P/x]  -4  P' 
ux.P  -4  P' 


True2 


tt  -4  0 


Act2 


Sum2 


aw  — >  w 

Q^Q' 

P  +  Q^Q' 


Dis2 


Par2 


Con2 


Con3 


Rel 


Mu2 


PVQ^Q 

Q^Q' 

P\Q  ^  P\Q' 

Q^Q' 

PAQ-4PAQ' 

P-4p' 

PaQ-^P'AQ' 
P  -4  P' 


P[f]  py] 

P[iik-lX.PIx]  ^  P' 
HkX.P  P' 


fc>0 


may  be  seen  as  embodying  a  form  of  continuity:  is  interpreted  in  terms  of  its  finite  unwindings.  Because 
of  continuity  problems  associated  with  alternating  least  and  greatest  fixed  points,  in  this  paper  we  only 
consider  alternation-free  process  expressions.  The  maximal  fixed-point  process  i^x,P  may  unwind  its  loop 
indefinitely,  as  is  the  case  for  recursion  in  CCS  (cf.  Rule  (Nu)).  Note  that  the  purely  divergent  process  f], 
employed  in  some  process  algebras  [16]  for  describing  infinite  internal  computation,  can  be  derived  in  LPC 
as  i/x.T.x. 

Temporal  logics,  including  LT/x,  are  capable  of  specifying  inconsistencies  or  contradictions,  i.e.,  behav- 
iors  equivalent  to  false.  From  an  operational  point  of  view,  a  process  describing  an  inconsistency  is  not 
implementable,  and  thus  runs  of  processes  passing  through  unimplement  able  states  should  be  ignored.  Due 
to  nondeterministic  choice,  a  process  that  can  engage  in  such  runs  is  not  necessarily  unimplementable  itself. 
It  is  only  unimplementable  if  all  of  its  runs  must  pass  through  an  unimplementable  state.  This  intuition  is 
reflected  in  the  definition  of  our  unimplementability  predicate,  given  in  Table  2.2,  where  we  write  P#  for 
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Table  2.2 

Unimplementability  predicate  # 


1.  Hox.P# 

2.  P  — >  and  P  AQ  implies  P  A  Q  # 

3.  Q  — >  and  P  AQ  implies  P  A  Q  # 

4.  P#  implies 


•  a.p# 

•  P[fW 

•  P\L# 

•  PAQ# 

•  Q^P* 

•  Q\P* 

•  vx.P  # 

•  px.P  # 

•  (ikX.Pi^ 

5.  P#  and  Q# 

implies 

•  P  +  Q# 

•  pyQ* 

6.  P[/ijfe_ia:.P/x]  #  implies  HkX.P#,  for  A:  >  0 

7.  {\fk.  fikX.P  #)  implies  jjlx.P# 


P  £  ^  and  where  P  — >  stands  for  3P'  €  P3q  €  -4r.  P  P'.  In  particular,  a  contradiction  is. present 
within  a  conjunction  P  A  Q,  if  the  conjunction  process  cannot  engage  in  any  transition,  although  one  of  its 
argument  processes  can  (cf.  Rules  (2)  and  (3)).  As  an  example,  consider  process  a.O  A6.0,  for  a^h.  Further, 
Rule  (1)  states  that  the  unimplementability  of  P  propagates  backwards  through  prefixing.  Note  that  the 
operational  semantics  for  LPC  distinguishes  between  inconsistent  processes  that  are  unimplementable  and 
deadlocked  processes  that  are  implementable.  For  example,  both  processes  (a.0|6.0)  \  {a,  6}  and  a.O  A  6.0 
cannot  engage  in  any  transitions.  However,  (a.O  A  6.0)  #  while  -i(((o.0|6.0)  \  {a,  6})  #),  as  desired.  All  other 
rules  are  straightforward,  except  for  least  fixed-point  processes,  such  as  the  process  fiox.P  that  cannot  un¬ 
wind  its  body  P  further  and  is  thus  considered  to  be  unimplementable  (cf.  Rule  (1)).  Together  with  Rules  (6) 
and  (7),  this  implies  that  the  process  fix.r.x^  which  can  engage  in  finite  but  unbounded  numbers  of  r’s,  is 
actually  unimplementable.  Indeed,  we  will  identify  this  process  with  false  and  abbreviate  it  by  ff.  Finally, 
it  is  easy  to  prove  via  induction  on  the  structure  of  process  terms  that  P  P'  and  P  #  implies  P'  #,  for 
any  P,  P'  €  P  and  a  €  Ar> 

The  semantics  for  LPC  does  not  only  extend  the  standard  CCS  semantics  but  is  also  compatible  with 
the  semantics  of  LT//  formulas;  see  Thm.  3.5.  This  theorem,  however,  is  not  straightforward,  and  its  proof 
requires  us  to  build  a  rich  semantic  theory  for  LPC.  Before  doing  so  we  first  introduce  some  notation.  A 
potential  path  tt  of  process  P  is  a  sequence  of  transitions  (Pi  Pi+i)o<i<fc?  for  some  k  €  NU  {cj},  such  that 
Po  =  P.  If  “i(Pi  #),  for  all  0  <  i  <  A;,  then  tt  is  called  an  implementable  path^  or  simply  path.  We  use  |7r|  to 
refer  to  A:,  the  length  of  tt.  If  |7r|  =  cj,  we  say  that  tt  is  infinite]  otherwise,  tt  is  finite.  Moreover,  tt  is  called 
maximal  if  |7r|  <  u  and  Pj^rj  “tA.  The  trace  trace(7r)  of  tt  is  defined  as  the  word  w  :=  (ai)/^  G  :=  A*UA^, 
where  1^^  {0  <i  <  |7r|  |  ai  ^  r}.  In  the  case  of  =  0,  we  let  e  stand  for  w  =  ().  Moreover,  if  tt  is  finite, 

we  also  write  P  P|;r|  for  tt.  We  denote  the  sets  of  ail  finite,  maximal,  and  infinite  paths  of  P  by  nfin(P), 
Ilmax(P),  and  na;(P),  respectively.  We  may  also  introduce  according  languages  for  P: 

Ain(P)  •=  {trace(7r)  |  tt  G  nfin(P)}  C  A*  finite-trace  language  of  P 

Cmax{P)  •=  {trace(7r)  |  tt  G  nmax(-P)}  Q  A*  maximal-trace  language  of  P 

^u){P)  •=  {trace(7r)  |  tt  G  nu;(P)}  C  A^  infinite-trace  language  of  P 

The  semantic  theory  to  be  developed  for  LPC  relies  on  the  notion  of  divergence^  i.e.,  a  system’s  ability  to 
engage  in  an  infinite  internal  computation.  In  this  paper,  we  employ  the  traditional  notion  of  divergence 
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as  used  by  DeNicola  and  Hennessy  [11];  more  sophisticated  definitions  may  be  found  elsewhere  in  the 
literature  [6,  26,  28].  A  process  P  is  divergent,  in  signs  F  ff,  if  e  G  Cu}{P)^  For  example,  the  process 
:=  ux.T.x,  is  divergent.  A  process  P  is  called  t/;-divergent  for  some  iv  E  in  signs  P  -fl  w,  if 

3P'  £  V3v  <fjn  w,  P  P'  and  P'  Here,  <fjn  stands  for  the  prefix  ordering  on  words.  We  further 
write  £div(P)  for  the  divergent-trace  language  of  P,  i.e.,  £div(P)  ^  A^  |  P  fl^  u;}.  Finally,  P  is  called 

convergent  or  w -convergent,  in  symbols  P  Jj-  and  P  4  w;,  if  ->(P  fl^)  and  -'(P  ft*  u;),  respectively. 

2.3.  Refinement  in  LPC.  We  now  turn  our  attention  to  a  behavioral  theory  of  LPC,  which  defines  a 
behavioral  preorder  £  on  processes  such  that  P£Q,  i.e.,  Q  refines  P,  if  Q  is  “more  defined”  than  P.  The 
preorder  is  an  adaptation  of  DeNicola  and  Hennessy ’s  must-preorder  [11],  which  was  developed  within  an 
elegant  testing  theory  and  distinguishes  processes  on  the  basis  of  the  tests  they  are  necessarily  able  to  pass. 
In  this  context,  tests  are  processes  equipped  with  a  special  action  y/,  which  are  employed  to  witness  the 
interactions  a  process  may  have  with  its  environment.  In  order  to  determine  whether  a  process  passes  a  test, 
one  has  to  examine  the  maximal  and  infinite  computations  that  result  when  the  test  runs  in  lock-step  with 
the  process  under  consideration. 

Formally,  a  test  is  a  process  that  might  use  the  distinguished  success  action  y/  ^  At-  The  set  of  all  tests 
is  denoted  by  T.  A  maximal  (infinite)  computation  ix  of  process  P  and  test  T  is  a  maximal  (infinite)  path  tt 
of  (P|T)\^,  i.e.,  TT  =  {{Pi\Ti)  \  A  (Pi+i  |Ti+i)  \  >l)o<i<|7ri-  Recall  that  paths  only  go  along  implementable 
states.  Computation  tt  is  successful  if  Tk  for  some  0  <  k  <  \7t\;  otherwise,  it  is  unsuccessful  Finally, 
process  P  is  said  to  must-satisfy  test  T,  in  symbols  PmustT,  if  every  maximal  and  infinite  computation 
of  P  and  T  is  successful.  Our  variant  of  the  must-preorder  can  now  be  defined  as  follows. 

Definition  2.1  (Must-preorder).  For  P,Q  e  V  we  let  P if,  for  all  T  e  T,  PmustT  implies 
Q  must  T. 

It  is  easy  to  see  that  £  is  a  preorder,  i.e.,  that  it  is  reflexive  and  transitive.  Note  that  this  preorder  can  be 
extended  to  open  terms  by  the  usual  means  of  closed  substitution  [25].  Moreover,  £  satisfies  the  following 
basic  algebraic  laws,  where  «  stands  for  the  kernel  £  n  (£)“^  of  £. 

Proposition  2.2.  Let  P,  Q,P  G  P.  Then,  the  following  holds: 


P\Q 

«  Q\P 

{P\Q)\R 

P\{Q\P) 

P\0  « 

P 

p|n  « 

n 

PAQ 

K.  Q  A  P 

(P  A  Q)  A  R 

P  A  {Q  A  R) 

P  A  tt  « 

P 

PAff  Ri 

ff 

P  +  Q 

«  Q  +  P 

{P  +  Q)  +  R 

P+{Q  +  R) 

P+0  (V 

P 

P  +  Q  « 

n 

pyQ 

K  Qyp 

{PyQ)VR 

PyiQvR) 

PVtt  « 

tt 

PVff  « 

p 

Further,  P  t\P  k.  P,  PV  P  ^  P,  and  P  V  Q  £  P. 

It  is  also  easy  to  see  that  the  divergent  process  Q  does  not  must-satisfy  any  tests,  except  the  trivial  ones, 
such  as  i/.0.  Hence,  it  is  the  smallest  process  with  respect  to  £.  Conversely,  process  ff  must-satisfies  every 
test,  since  it  does  not  possess  any  computation  due  to  ff#.  Consequently,  ff  is  the  largest  process  with 
respect  to  £.  Also  tt  is  a  distinguished  process  in  our  setting;  it  is  the  smallest  convergent  process  with 
respect  to  £.  Thus,  we  have  n£tt£ff^. 


"^This  ordering  is  the  reverse  of  the  more  usual  Boolean  ordering,  which  holds  that  ff  is  lower  than  tt.  Our  ordering  is  due 
to  the  fact  that  must  refinement  implies  reverse  language  containment. 
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3.  Properties  of  the  Must-Preorder.  In  this  section  we  investigate  the  utility  of  our  calculus  for  the 
heterogeneous  specification  of  reactive  systems.  We  show  that  our  must-preorder  is  a  conservative  extension 
of  the  one  of  DeNicola  and  Hennessy,  provide  its  characterization  in  terms  of  traces  and  initial  action  sets, 
investigate  its  close  relation  to  LT/f  satisfaction,  and  finally  establish  its  compositionality  properties. 

3.1.  Extension  of  DeNicola  and  Hennessy ’s  Must-Preorder.  It  is  easy  to  see  that  our  must- 
preorder  £  is  a  conservative  extension  of  the  original  must-preorder  £jjjj  of  DeNicola  and  Hennessy,  defined 
on  CCS  processes  [11].  The  reason  is  that  their  and  our  definitions  of  the  testing  framework  coincide  on  CCS 
processes.  Hence,  we  may  formally  obtain  the  following  conservativity  theorem. 

Theorem  3.1.  Let  P,Q  be  CCS  processes.  Then,  P£Q  if  and  only  */P£dhQ. 

3.2.  Characterization.  We  now  present  a  characterization  of  our  must-preorder  which  will  be  used  for 
obtaining  some  of  our  main  results.  The  characterization  closely  follows  the  lines  of  a  similar  characterization 
of  DeNicola  and  Hennessy’s  must-preorder  [11].  It  uses  the  notation  I{P)  for  the  set  {a  6  .4  j  P  -4* 

of  visible  initial  actions  of  P. 

Theorem  3.2.  Let  P,Q  be  processes.  Then  P^Q  if  and  only  if  for  all  w  £  A°°  such  that  Pii-w: 

1.  Qii-w 

2.  [wj  <  w;  VQ'.  Q^Q'  implies  3P'.  P  ^  P'  and  J(P')  C  1{Q') 
jrcl  =  a;.-  w  £  C^{Q)  implies  w  £  C^{P) 

Observe  that  this  characterization  is  also  sensitive  to  infinite  traces  and  not  only  finite  ones  (cf.  Cond.  (2)). 
This  is  superficially  similar  to  the  improved  failures  model  of  [7];  the  difference  is  that  infinite  traces  in  [7] 
convey  divergence  information,  while  they  convey  convergence  information  in  the  above  characterization. 

The  proof  of  the  above  theorem  relies  on  the  following  four  distinguished  tests,  where  fc  G  N,  w  = 
(oi)o<i<A  6  A*,  V  £  4“,  and  a£  A. 

1.  T^  :=  oo-ai---  -  .Ofc-i.O j r.y'.O 

2.  Tf^^  :=  oo.(ai.--  -  .(afe-i.O  +  r..y/.0)  •  •  • )  +  r.^.O)  +  r.-^/.O 

'^w^a  •—  O0-(ffll-  •  •  •  .(ojk-i.O.v^.O  +  T.y/.O)  •  •  •  )  +  T.^J.Q)  +  T.-y/.O 

4.  T-  :=  v\r.^.O 

The  intuitions  behind  defining  these  tests  are  as  follows. 

Lemma  3.3.  Let  P  be  an  arbitrary  LPC  process  and 

1.  Let  w  £  A*.  Then,  P  ij-w  iff  P mustT^. 

2.  Let  w  £  A*  such  that  P  JJ.  to.  Then,  w  0  Cfi„{P)  iff  P  mustTff" . 

3.  Let  w£A*  such  that  Pij-w.  Then,  w  i  CmaxiP)  iff  Ba  £  A.  P  mustT^ff. 

4-  Let  V  £  4“  such  that  P  ]].  u.  Then,  v  ^  Cu,{P)  iff  P  mustTjf . 

The  proof  of  this  lemma  is  not  too  difficult  but  tedious;  it  follows  our  definition  of  must— passing  tests  and 
is  similar  to  the  corresponding  proof  in  [9].  Note  that  the  first  property  can  also  be  carried  over  to  infinite 
words,  due  to  our  ‘approximative’  definition  of  divergence. 

3.3.  Extension  of  LT/i  Satisfaction.  To  prove  that  our  must— preorder  is  also  an  extension  of  Liyi 
satisfaction  we  first  recall  the  standard  semantics  of  LT/x.  An  LT/x  formula  is  interpreted  as  the  set  of  those 
finite  and  infinite  sequences  over  4  that  validate  the  formula.  Formally,  the  semantics  of  a  possibly 
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open  LT/i  term  $  is  defined  relative  to  an  environment  E  mapping  variables  to  subsets  of  Note  that 
our  variant  of  the  linear-time  //-calculus  [5]  can  be  used  to  reason  about  deadlock  traces  as  well,  due  to  our 
inclusion  of  the  atomic  proposition  0;  this  is  why  we  also  consider  finite  traces,  in  addition  to  infinite  ones. 


Ittf 

:=  A°^ 

IfO^  :=  0 

ixf 

:=  Six) 

:=  {aw|«;€l$]^} 

[Of 

:=  {£} 

|/xx.$F 

:= 

|^J5[xk^T]  g 

[$1  A  $2f 

:=  I$ifnl$2l' 

:= 

TC 

[$1  V  $2f 

:=  I$ifu[#2l' 

In  case  ^  is  a  formula,  i.e.,  #  is  a  closed  LT//  term,  it  is  easy  to  see  that  the  environment  £  is  irrelevant.  We 
say  that  a  CCS  process  P  satisfies  in  signs  P  |=  if  all  traces  of  P  are  included  in  the  traces  of  1$]. 
Formally,  P  [=  $  if  (i)  £div(P)  C  £di,($),  (ii)  Crr,,,{P)  C  |$],  and  (iii)  £,(P)  C  I$|. 

Further,  LT//  formulas,  when  considered  as  a  sublanguage  of  LPC,  possess  two  important  properties. 
First,  all  formulas  $  are  convergent,  i.e.,  £div(^)  =  0*  This  is  because  the  internal  prefix  operator  ‘r.’  is 
not  available  in  LT//.  In  addition,  the  atomic  propositions  tt,  ff,  and  0  do  not  give  rise  to  divergence.  As 
a  consequence,  Cond.  (i)  in  the  definition  of  P  |=  $  above  can  be  simplified  to  C(iw{P)  =  0.  In  particular, 
formula  tt  is  satisfied  by  convergent  processes  only,  whence  P  tt  if  and  only  if  £div(F^)  =  0-  Second,  every 
LT//  formula  #  is  purely  nondeterministic  in  the  sense  that  all  choices  are  internal: 

V#',  Va,  $  A  ^  implies  a  =  0  =  t  . 

This  is  due  to  the  fact  that  disjunction  is  modeled  as  internal  choice  in  LPC. 

Proposition  3.4.  Let  ^  be  an  LT^jl  formula  and  P  a  CCS  process.  Then,  ^£P  if  and  only  if 
(i)  CdUP)  =  0,  (ii)  Cmax  {P)Q  Cmax  ($),  and  (iii)  Cu:{P)  C 

The  proof  of  this  proposition  relies  on  our  characterization  theorem  for  £  (cf.  Thm.  3.2)  and  uses  the  two 
properties  of  formulas  mentioned  above.  The  proposition  is  the  key  for  establishing  the  next  theorem. 

Theorem  3.5.  Let  P  be  a  CCS  process  and  an  LTp  formula.  Then,  P  \=^  ^  if  and  only  z/  #  £  P. 

Due  to  Prop.  3.4  and  the  definition  of  |=,  it  is  sufficient  to  prove  that  |^]  =  £max(^)  LJ  This  can 

be  done  along  the  structure  of  Up  formulas,  but  requires  the  appropriate  extension  of  the  definition  of 
languages  to  open  terms. 

3.4.  Compositionality.  One  virtue  of  process  algebras  is  that  they  allow  for  reasoning  compositionally 
about  processes.  Our  logical  process  calculus  LPC  is  no  exception.  Indeed  our  must-preorder  is  compositional 
for  all  operators,  except  for  the  choice  operators  +  and  V.  This  compositionality  defect  manifests  itself  in 
many  behavioral  preorders,  including  DeNicola  and  Hennessy’s  must-preorder.  The  largest  precongruence  C 
contained  in  £  can  be  obtained  in  the  standard  fashion  [11]. 

Definition  3.6  (Must-precongruence).  For  P,Q  £  V  we  write  P  C  Q  if  (i)  P^Q  and  (ii)  Q 
implies  P  ^4. 

We  can  now  establish  the  desired  compositionality  result. 

Theorem  3.7.  The  preorder  □  is  a  precongruence,  i.e.,  for  all  processes  P,Q  such  that  P  Q  Q,  the 
following  properties  hold: 
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•  a.P  C  a.Q 

•  +  + 

•  P\/RnQwR 

•  P\R  C  Q\R 

•  P  ARQQ  AR 


for  all  a  ^  A  • 

for  all  R  eV  • 

for  all  Re  V  • 

/or  all  ReV  • 

/or  all  R  EV  • 


P\L 

□ 

Q\L 

for 

P[f] 

c 

Q[f] 

for 

HkX.P 

□ 

HkX.Q 

for 

/XX.P 

□ 

Hx.Q 

for 

VX.P 

□ 

vx.Q 

for 

all  restriction  sets  L 
all  relabelings  f 
all  X  EV  and  k  eN 
all  X  eV 
all  X  EV 


Moreover,  □  is  the  largest  precongruence  contained  in 

The  compositionality  property  can  be  checked  straightforwardly  for  most  operators  by  referring  to  Thm.  3.2. 
For  asynchronous  parallel  composition,  the  compositionality  of  C  follows  immediately  from  the  fact  that 
PjQmustT  if  and  only  if  PmustQlT,  for  all  P,Q  E  V  and  T  E  T;  this  is  essentially  the  associativity 
property  of  | .  The  proof  of  the  ‘largest’  statement  of  Thm.  3.7  is  standard  [11]. 


4.  Discussion  and  Related  Work.  This  section  compares  LPC  to  related  work  and  discusses  in  some 
detail  the  fundamental  differences  of  the  setting  presented  in  this  paper  to  our  previous  approach  [9]. 

Most  early  related  work  couples  operational  and  declarative  approaches  to  system  specification  loosely 
and  does  not  allow  for  mixed  specifications.  This  includes  the  large  amount  of  work  on  relating  behavioral 
equivalences  or  preorders  to  temporal  logics  in  one  of  the  following  ways:  (i)  establishing  that  one  system 
refines  another  if  and  only  if  both  satisfy  the  same  temporal  formulas  [12,  17,  25,  31];  (ii)  translating  finite- 
state  labeled  transition  systems  into  temporal  formulas  [30];  or  (iii)  encoding  subclasses  of  temporal  formulas 
as  behavioral  relations  via  the  idea  of  implicit  specifications  [23].  Other  work,  in  the  field  of  compositional 
model  checking  [8,  14,  20]  is  aimed  at  supporting  a  modular  approach  for  reasoning  about  temporal-logic 
specifications.  Several  researchers  have  also  considered  the  inclusion  of  different  fixed-point  operators  in 
behavioral  theories  of  processes  in  order  to  model  fairness  and  unbounded  but  finite  delay  [15,  18].  One  may 
also  find  a  process  algebra  with  an  element  similar  to  our  process  fP  in  [2]. 

Diverting  from  these  approaches,  advanced  frameworks  for  genuine  heterogeneous  specifications  have 
been  developed  as  well,  which  can  be  distinguished  whether  they  are  logic/algebraic  or  automata-theoretic. 

4.1.  Logic/algebraic  approaches.  This  category  includes  the  seminal  work  of  Abadi  and  Lamport, 
who  have  developed  ideas  for  heterogeneous  specifications  for  shared-memory  systems  [1].  Their  technical 
setting  is  the  logical  framework  of  TLA  [22],  in  which  processes  and  temporal  formulas  are  indistinguishable 
and  logical  implication  serves  as  the  refinement  relation.  The  difference  to  our  setting  is  that  TLA  refinement 
is  insensitive  to  deadlock  and  divergence.  While  this  might  not  be  a  problem  for  shared-memory  systems,  it  is 
not  suitable  for  reasoning  about  distributed  systems,  at  which  our  calculus  LPC  aims.  Graf  and  Sifakis  follow 
a  similar  line  in  [13].  There,  a  logic  is  developed  that  includes  constructs  for  actions  and  nondeterministic 
choice,  and  a  logical  encoding  of  operational  behavior  is  given.  One  establishes  that  a  system  satisfies  a 
property  by  showing  that  the  logical  formula  associated  with  the  system  implies  the  property. 

In  a  different  line  of  research,  Valmari  et  al.  have  studied  several  congruences  preserving  “next-time¬ 
less”  linear-time  temporal  logic  [27],  which  may  also  handle  deadlock  and  livelock  [19,  28,  33].  A  good 
overview  by  Puhakka  and  Valmari  on  the  matters  of  liveness  and  fairness  in  process  algebra  can  be  found 
in  [29].  This  paper  also  observes  that,  during  system  refinement,  fairness  constraints  are  often  only  relevant 
for  intermediate  systems  and  are  automatically  implied  when  considering  the  larger  system  context.  It  then 
suggests  a  way  to  avoid  constructing  the  usually  infinite  intermediate  systems.  Our  work  complements  theirs 
in  that  LPC  allows  for  embedding  arbitrary  LTL  formulas  in  operational  specifications,  instead  of  a  specific 
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class  of  fairness  constraints.  However,  LPC  does  not  avoid  reasoning  about  infinite  intermediate  systems,  since 
we  believe  that  such  reasoning  poses  no  problem  when  employing  clever  data  structures  for  implementing 
our  must-preorder  in  verification  tools.  Finally,  note  that  DeNicola  and  Hennessy’s  testing  theory  [11]  has 
also  been  enriched  with  notions  of  fairness  [6,  26]  to  constrain  infinite  computations  in  transition  systems. 

4.2.  Automata— theoretic  approaches.  Regarding  automata-theoretic  techniques,  the  work  of  Kur- 
shan  [21],  who  presented  a  theory  of  c<;“Word  automata  that  includes  notions  of  synchronous  and  asynchronous 
composition,  is  of  direct  relevance  to  this  paper.  However,  Kurshan’s  underlying  semantic  model  maps  pro¬ 
cesses  to  their  infinite  traces,  and  the  associated  notion  of  refinement  is  (reverse)  trace  inclusion.  In  theories  of 
concurrency,  such  as  in  ours  in  which  deadlock  is  possible,  maximal  trace  inclusion  is  not  compositional  [24]. 

The  most  closely  related  approach  to  the  one  presented  here  was  introduced  by  the  authors  in  [9].  Biichi 
automata  were  employed  to  uniformly  encode  mixed  operational  and  declarative  behavior,  exploiting  the 
well-known  relation  between  Biichi  automata  and  LTL  [34].  We  equipped  this  semantic  framework  with 
a  notion  of  Biichi  must-testing  that  extends  DeNicola  and  Hennessy’s  must-testing  preorder  from  labeled 
transition  systems  to  Biichi  automata.  The  intuition  was  only  to  consider  those  infinite  traces  as  infinite 
computations  that  go  through  Biichi  states  infinitely  often,  and  only  to  accept  those  infinite  computations  for 
which  the  considered  Biichi  test  declares  success  infinitely  often.  The  relation  of  our  Biichi  must-preorder 
to  the  LTL  satisfaction  relation,  with  the  central  result  intended  to  be  analogous  to  Thm.  3.5,  was  then 
established  in  a  pure  automata-theoretic  fashion  by  suitably  adapting  the  construction  of  [34].  However, 
our  previous  approach  had  several  shortcomings  which  made  it  unsuitable  as  a  semantic  basis  for  a  logical 
process  calculus;  these  are  discussed  next. 

Most  importantly,  our  paper  [9]  contained  a  subtle  technical  mistake  in  the  analogue  of  Lemma  3.3, 
which  propagated  through  the  paper’s  results.  In  a  nutshell,  the  setup  of  Biichi  testing  did  not  allow  us,  as 
was  intended,  to  ignore  non-Biichi  divergent  traces,  i.e.,  those  infinite  internal  computations  that  go  through 
Biichi  states  only  finitely  often.  While  most  of  the  results  of  [9]  could  be  repaired  by  explicitly  observing  non- 
Biichi  divergence,  the  framework  did  no  longer  reflect  the  underlying  intuition,  and  it  made  compositionality 
difficult  to  achieve  for  some  operators,  including  parallel  composition.  Moreover,  our  identification  of  ff, 
or  other  inconsistent  specifications,  with  non-Biichi  divergence  lead  to  the  invalidity  of  the  desired  law 
P  V  ff  «  P.  The  present  paper  repairs  this  defect  by  associating  ff  with  a  process  that  cannot  engage  in 
any  observable  transition,  nor  in  any  divergence.  In  order  to  then  distinguish  ff  from,  say,  0  we  introduced 
the  unimplementability  predicate.  Similar  difficulties  arose  when  interpreting  tt  as  Biichi-divergent  process, 
which  is  why  this  paper  distinguishes  between  tt  and  D,  making  tt  the  smallest  convergent  process  with 
respect  to  our  must-preorder,  while  D  is  still  the  smallest  process  overall. 

Indeed,  the  collection  of  these  insights  also  allowed  us  to  do  away  with  Biichi  automata  as  our  semantic 
framework  for  heterogeneous  system  design  altogether.  Accordingly,  LPC  encodes  the  least  and  greatest 
fixed-points  occurring  in  temporal  logics  via  labeled  transition  systems,  where  the  process-algebraic  semantic 
rules  for  least  fixed-points  reflect  the  intuition  that  the  recursion  under  consideration  can  only  be  unwound 
finitely  often,  while  a  recursion  associated  with  a  greatest  fixed-point  may  be  unwound  infinitely  often. 
Hence,  in  LPC  all  infinite  traces  are  ‘good’,  which  means  that  the  expressive  power  of  Biichi  automata  to 
distinguish  ‘good’  and  ‘bad’  infinite  traces  is  no  longer  needed.  The  result  is  a  process  calculus,  LPC,  in  which 
classical  process  algebras  and  linear-time  temporal  logics  can  be  uniformly  integrated,  as  was  envisioned 
in  [9].  The  integration  is  mathematically  elegant,  as  testified  by  our  compositionality  and  conservative 
extension  results  that  were  established  in  a  pure  syntax-driven  manner. 
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5.  Example:  Heterogeneous  System  Design.  This  section  illustrates,  by  means  of  an  example,  the 
kind  of  refinement-based  system  design  supported  by  LPC.  The  example  advocates  a  heterogeneous  style  of 
system  specification,  combining  process-algebraic  and  temporal-logic  specifications,  and  thereby  testifies  to 
the  utility  of  our  calculus.  It  will  be  convenient  to  express  temporal  constraints  by  means  of  formulas  in 
Linear-time  Temporal  Logic  (LTL)  [27]  —  a  temporal  logic  that  engineers  often  prefer  over  the  linear-time 
/x-calculus  [5].  We  thus  briefly  show  how  LTL  formulas  can  be  encoded  in  LT/x  or,  more  precisely,  in  our  new 
calculus  LPC. 

5.1.  Encoding  of  LTL  in  LPC.  Since  we  would  like  to  describe  action-based  distributed  systems  and 
their  deadlock  behavior,  the  variant  of  LTL  studied  here  includes  the  atomic  propositions  a,  for  a  e  and  0. 
Note  that,  in  the  context  of  temporal  logics,  A  is  always  taken  to  be  a  finite  set. 

^  0  I  a  I  tt  I  ff  I  I  I  X#  1  I  | 

The  temporal  operators  X,  U,  and  V  are  intuitively  interpreted  as  next,  until,  and  release  operators,  respec¬ 
tively.  Operator  X  is  the  dual  operator  of  X,  which  is  a  next  operator  that  tolerates  deadlocks;  note  that  X 
is  not  self-dual  in  the  presence  of  finite  traces.  An  LTL  formula  ^  corresponds  to  the  LPC  process  {[^]}, 
where  the  translation  function  {•]}  is  defined  inductively  along  the  structure  of  ^  as  follows  and  where  x  is 
some  randomly  chosen  variable  in  V. 

M  :=  tt  m  :=  0  V  ^2}  :=  i^i}  V  P2]}  M  :=  \/aeA 

m  -  ff  M  -  #1  A  ^2}  :=  {[^1]}  A  p2]}  im  -  0  V  Vae.4  «•« 

:=  lix4^2}  V  A 

:=  i^x.1^2}  A  {{^1}  V  0  V  \/aeA^'^) 

For  convenience,  we  abbreviate  formula  ffV$  by  {^^generally  #”)  and  ttU$  by  {^‘‘eventually  ^”),  as 
usual.  Moreover,  we  let  a  $  stand  for  the  process  a.#  V  0  V  Va^6  ^^at  is  valid  if  and  only  if,  for 
all  traces  of  the  form  aw,  trace  w  satisfies  ^  . 

5.2.  Example.  Suppose  an  engineer  is  expected  to  design  a  reliable  bidirectional  network  link  in  a 
component-based  fashion.  One  might  think  of  this  link  as  a  composition  of  two  reliable  unidirectional  links 
that  are  closely  tied  together.  In  particular,  the  failure  of  one  unidirectional  link  should  imply  the  failure 
of  the  other,  which  is  a  typical  physical  constraint  of  bidirectional  links.  The  engineer  might  begin  with  a 
simple  specification  of  an  unreliable  unidirectional  link, 

ULSpec  :=  f  ail. i/y, down. (y  V  x)) , 

which  signals  whether  the  link  is  up  or  down,  or  whether  it  just  failed.  In  case  of  failure,  the  link  tries  to 
repair  itself  and,  if  and  once  it  is  successfully  repaired,  it  returns  to  its  initial  state.  However,  a  successful 
repair  is  not  guaranteed,  whence  the  process  ULSpec  may  infinitely  engage  in  the  down-loop  over  variable  y. 

To  obtain  a  specification  RLSpec  of  a  reliable  unidirectional  link,  ULSpec  is  simply  refined  by  adding 
a  constraint  imposing  a  “repair  guarantee,”  RG  :=  G  (fail  =>  Ff^),  i.e.,  every  broken  link  is  eventually 
repaired  and  up.  We  then  define  RLSpec  :=  ULSpec  A  RG,  which  essentially  does  away  with  the  down-loop 
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in  ULSpec.  The  desired  bidirectional  link  might  then  be  specified  as  follows: 

BLSpec  :=  ( RLSpec[upl/up,  downi/down,  sync/fail] 

I  RLSpec[up2/up,  down2/down,  sync/fail] 

)  \  {sync} , 

where  the  synchronization  on  action  fail,  via  the  relabeling  to  action  sync,  ensures  that  the  failure  of 
one  unidirectional  link  implies  the  failure  of  the  other.  Note  that  the  constraints  RG  indirectly  refer  to 
action  sync,  which  is  restricted  in  BLSpec. 

The  engineer  may  now  refine  the  heterogeneous  LPC  specification  BLSpec  into  a  pure  CCS  implementa¬ 
tion.  The  idea  is  to  fulfill  the  constraints  RG  by  eliminating  the  down-loop  in  ULSpec,  thus  encoding  that  a 
repair  can  always  be  successfully  carried  out  immediately.  The  implementation  of  RLSpec  might  accordingly 
be  chosen  as  the  CCS  process  RLImp  :=  i/x.up.(x -j-  f  ail.down.x) .  We  now  establish  that  RLImp  indeed  refines 
RLSpec  in  the  framework  of  our  must-precongruence.  First  of  all,  it  is  easy  to  see  by  our  characterization  of  £ 
(cf.  Thm.  3.2)  that  ULSpec  £  RLImp,  due  to  the  internal  nondeterministic  choice  in  ULSpec.  Further,  we  ob¬ 
viously  have  RLImp  |=  RG.  Hence,  we  may  infer  by  Thm.  3.5  that  RG  £  RLImp.  Because  RLImp  cannot  engage 
in  an  initial  r-transition,  we  may  in  summary  conclude  ULSpec  C  RLImp  and  RG  □  RLImp.  By  Prop.  2.2, 
which  is  also  valid  for  C,  and  by  Thm.  3.7,  we  derive  RLSpec  =  ULSpec  A  RG  □  RLImp  A  RLImp  C  RLImp,  as 
desired. 

When  replacing  in  BLSpec  the  components  RLSpec  by  RLImp  we  obtain  an  implementation  of  our  reliable 
bidirectional  link,  to  which  we  refer  as  BLImp.  Since  E  is  a  precongruence  and  RLSpec  C  RLImp,  we  obtain 
BLSpec  E  BLImp,  i.e.,  BLImp  refines  BLSpec,  which  coincides  with  our  intuition. 

Finally,  it  is  worth  mentioning  that  LPC  actually  may  be  seen  as  a  temporal  logic  that  allows  for  some 
restricted  form  of  branching-time  reasoning.  For  example,  the  LPC  process  sync  (downl.tt -h  down2.tt) 
encodes  the  property  that  the  system  state  reached  when  executing  action  sync  has  both  actions  downl 
and  down2  enabled.  Observe  that,  in  contrast  to  downi.tt  -f  down2.tt,  the  term  downl.tt  A  down2.tt  in  LPC 
specifies  the  obvious  contradiction  that  every  initial  transition  is  labeled  by  both  actions  downl  and  down2 
at  the  same  time. 

6.  Conclusions  and  Future  Work.  We  presented  a  novel  logical  process  calculus  LPC  that  integrates 
both  classical  process  calculi,  such  as  Milner’s  CCS,  and  temporal  logics,  such  as  the  alternation-free  linear¬ 
time  ^-calculus  LT/i.  The  syntax  of  LPC  enriched  CCS  by  operators  for  synchronous  parallel  composition 
(conjunction)  and  nondeterministic  choice  (disjunction),  as  well  as  by  minimal  fixed-points  operators  (finite 
unwindings  of  recursion).  The  semantics  of  LPC  was  given  in  terms  of  labeled  transition  systems  and  an 
unimplementability  predicate,  both  defined  via  structural  operational  rules.  A  refinement  preorder  on  process 
terms  was  then  introduced,  which  conservatively  extends  both  DeNicola’s  and  Hennessy’s  must-preorder  and 
the  LT/i  satisfaction  relation.  Hence,  LT/i  model  checking  may  as  well  be  understood  as  refinement  checking. 
Finally,  our  must-preorder  was  also  shown  to  be  compositional  with  respect  to  all  operators  in  LPC. 

The  outcome  of  our  studies  is  a  heterogeneous  specification  language,  which  allows  system  designers  to 
specify  systems  in  a  mixed  operational  and  declarative  style,  together  with  a  behavioral  preorder  that  permits 
component-based  refinement.  We  believe  that  our  setting  provides  groundwork  for  formally  investigating 
those  software  engineering  languages  that  support  heterogeneous  specifications  as  a  mixture  of  operational 
state  machines  and  declarative  constraints,  such  as  the  Unified  Modeling  Language  [4]. 
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Regarding  future  work,  we  intend  to  study  axiomatizations  of  our  must-preorder.  We  also  plan  to 
develop  an  algorithm  for  computing  the  must-preorder  with  the  goal  of  implementing  LPC  in  automated 
verification  tools,  such  as  the  Concurrency  Workbench  NC  [10]. 
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